Bug 170165 - [testcase] crash on javascript on http://news.aol.ca/article/north-mapping/324605/
Summary: [testcase] crash on javascript on http://news.aol.ca/article/north-mapping/32...
Status: RESOLVED FIXED
Alias: None
Product: konqueror
Classification: Applications
Component: khtml (show other bugs)
Version: SVN
Platform: unspecified Linux
: NOR crash
Target Milestone: ---
Assignee: Konqueror Developers
URL:
Keywords:
: 202832 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-09-01 08:43 UTC by Oliver Putz
Modified: 2010-08-15 19:56 UTC (History)
4 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments
Reduced testcase (855 bytes, text/html)
2008-09-01 23:39 UTC, Frank Reininghaus
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Oliver Putz 2008-09-01 08:43:03 UTC
Version:           4.1.00 (KDE 4.1.0) (using 4.1.00 (KDE 4.1.0), Gentoo)
Compiler:          i686-pc-linux-gnu-gcc
OS:                Linux (i686) release 2.6.25-gentoo-r7

I was reading http://news.aol.ca/article/north-mapping/324605/ 
When I scrolled down konqueror all of a sudden crashed with the backtrace below. As I just double clicked on the address bar in order to copy and paste the URL, konqueror crashed again with the same backtrace.

Application: Konqueror (konqueror), signal SIGSEGV
[Thread debugging using libthread_db enabled]
[New Thread 0xb61c0700 (LWP 2350)]
[KCrash handler]
#6  0xb3043bcd in khtml::RenderBlock::nodeAtPoint (this=0xa8ba160, 
    info=@0xbfc5182c, _x=591, _y=1666, _tx=397, _ty=1692, 
    hitTestAction=HitTestAll, inBox=false)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/rendering/render_block.cpp:2660
#7  0xb3043c88 in khtml::RenderBlock::nodeAtPoint (this=0xa8ba0dc, 
    info=@0xbfc5182c, _x=591, _y=1666, _tx=397, _ty=259, 
    hitTestAction=HitTestAll, inBox=false)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/rendering/render_block.cpp:2663
#8  0xb305a572 in khtml::RenderObject::nodeAtPoint (this=0xa89d794, 
    info=@0xbfc5182c, _x=591, _y=1666, _tx=397, _ty=259, 
    hitTestAction=HitTestChildrenOnly, inside=false)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/rendering/render_object.cpp:2076
#9  0xb3043cfb in khtml::RenderBlock::nodeAtPoint (this=0xa89d794, 
    info=@0xbfc5182c, _x=591, _y=1666, _tx=397, _ty=259, 
    hitTestAction=HitTestChildrenOnly, inBox=false)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/rendering/render_block.cpp:2667
#10 0xb307822a in khtml::RenderLayer::nodeAtPointForLayer (this=0xa88fa08, 
    rootLayer=0xa88f660, info=@0xbfc5182c, xMousePos=591, yMousePos=1666, 
    hitTestRect=@0xbfc517ec)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/rendering/render_layer.cpp:1194
#11 0xb3078143 in khtml::RenderLayer::nodeAtPointForLayer (this=0xa88fa6c, 
    rootLayer=0xa88f660, info=@0xbfc5182c, xMousePos=591, yMousePos=1666, 
    hitTestRect=@0xbfc517ec)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/rendering/render_layer.cpp:1187
#12 0xb3078143 in khtml::RenderLayer::nodeAtPointForLayer (this=0xa88f748, 
    rootLayer=0xa88f660, info=@0xbfc5182c, xMousePos=591, yMousePos=1666, 
    hitTestRect=@0xbfc517ec)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/rendering/render_layer.cpp:1187
#13 0xb30780f7 in khtml::RenderLayer::nodeAtPointForLayer (this=0xa88f660, 
    rootLayer=0xa88f660, info=@0xbfc5182c, xMousePos=591, yMousePos=1666, 
    hitTestRect=@0xbfc517ec)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/rendering/render_layer.cpp:1176
#14 0xb3078834 in khtml::RenderLayer::nodeAtPoint (this=0xa88f660, 
    info=@0xbfc5182c, x=591, y=1666)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/rendering/render_layer.cpp:1137
#15 0xb2fd5f86 in DOM::MouseEventImpl::computeLayerPos (this=0xb3e7aa8)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/xml/dom2_eventsimpl.cpp:299
#16 0xb2fd86c8 in MouseEventImpl (this=0xb3e7aa8, 
    _id=DOM::EventImpl::MOUSEOVER_EVENT, canBubbleArg=true, 
    cancelableArg=true, viewArg=0xa111d58, detailArg=0, screenXArg=591, 
    screenYArg=646, clientXArg=591, clientYArg=526, pageXArg=591, 
    pageYArg=1666, ctrlKeyArg=false, altKeyArg=false, shiftKeyArg=false, 
    metaKeyArg=false, buttonArg=65535, relatedTargetArg=0xb3966f0, qe=0x0, 
    isDoubleClick=false, orient=DOM::MouseEventImpl::ONone)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/xml/dom2_eventsimpl.cpp:279
#17 0xb2f31930 in KHTMLView::dispatchMouseEvent (this=0xac4c380, eventId=7, 
    targetNode=0xb395c48, targetNodeNonShared=0xb395c18, cancelable=false, 
    detail=0, _mouse=0xbfc523d0, setUnder=true, mouseEventType=4, orient=0)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/khtmlview.cpp:3590
#18 0xb2f39233 in KHTMLView::mouseMoveEvent (this=0xac4c380, 
    _mouse=0xbfc523d0)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/khtmlview.cpp:1316
#19 0xb684cbe2 in QWidget::event (this=0xac4c380, event=0xbfc523d0)
    at kernel/qwidget.cpp:6912
#20 0xb6ba14b9 in QFrame::event (this=0xac4c380, e=0xbfc523d0)
    at widgets/qframe.cpp:657
#21 0xb2f37c3c in KHTMLView::widgetEvent (this=0xac4c380, e=0xbfc523d0)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/khtmlview.cpp:2303
#22 0xb2f3acb4 in KHTMLView::eventFilter (this=0xac4c380, o=0x9f80658, 
    e=0xbfc523d0)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/khtml/khtmlview.cpp:2167
#23 0xb74a7192 in QCoreApplicationPrivate::sendThroughObjectEventFilters (
    this=0x8057c38, receiver=0x9f80658, event=0xbfc523d0)
    at kernel/qcoreapplication.cpp:694
#24 0xb67f3884 in QApplicationPrivate::notify_helper (this=0x8057c38, 
    receiver=0x9f80658, e=0xbfc523d0) at kernel/qapplication.cpp:3768
#25 0xb67f7b60 in QApplication::notify (this=0xbfc52b7c, receiver=0x9f80658, 
    e=0xbfc523d0) at kernel/qapplication.cpp:3501
#26 0xb7a776c3 in KApplication::notify (this=0xbfc52b7c, receiver=0x9f80658, 
    event=0xbfc523d0)
    at /var/tmp/portage/kde-base/kdelibs-4.1.0/work/kdelibs-4.1.0/kdeui/kernel/kapplication.cpp:311
#27 0xb74a6d59 in QCoreApplication::notifyInternal (this=0xbfc52b7c, 
    receiver=0x9f80658, event=0xbfc523d0) at kernel/qcoreapplication.cpp:587
#28 0xb67f967f in QApplicationPrivate::sendMouseEvent (receiver=0x9f80658, 
    event=0xbfc523d0, alienWidget=0x9f80658, nativeWidget=0x8133138, 
    buttonDown=0xb6fdac40, lastMouseReceiver=@0xb6fdac44)
    at ../../include/QtCore/../../src/corelib/kernel/qcoreapplication.h:218
#29 0xb685e91e in QETWidget::translateMouseEvent (this=0x8133138, 
    event=0xbfc527c8) at kernel/qapplication_x11.cpp:4133
#30 0xb685d48d in QApplication::x11ProcessEvent (this=0xbfc52b7c, 
    event=0xbfc527c8) at kernel/qapplication_x11.cpp:3133
#31 0xb6883ed8 in QEventDispatcherX11::processEvents (this=0x80576f8, 
    flags=@0xbfc528b8) at kernel/qeventdispatcher_x11.cpp:134
#32 0xb74a60d3 in QEventLoop::processEvents (this=0xbfc52930, 
    flags=@0xbfc528f8) at kernel/qeventloop.cpp:149
#33 0xb74a6246 in QEventLoop::exec (this=0xbfc52930, flags=@0xbfc52938)
    at kernel/qeventloop.cpp:200
#34 0xb74a8401 in QCoreApplication::exec () at kernel/qcoreapplication.cpp:845
#35 0xb67f323f in QApplication::exec () at kernel/qapplication.cpp:3304
#36 0xb7f1ecf1 in kdemain (argc=4, argv=0xbfc52e94)
    at /var/tmp/portage/kde-base/konqueror-4.1.0/work/konqueror-4.1.0/apps/konqueror/src/konqmain.cpp:227
#37 0x080488a2 in main (argc=-1288708056, argv=0xb076cb0)
    at /var/tmp/portage/kde-base/konqueror-4.1.0/work/konqueror_build/apps/konqueror/src/konqueror_dummy.cpp:3
#0  0xffffe424 in __kernel_vsyscall ()
Comment 1 Oliver Putz 2008-09-01 08:49:58 UTC
I just found out what seems to make konqueror crash on this particular page:
At the end of the article you can find two buttons to rate the article (directly above the comments ("must read")). As soon as you hover over one of the buttons, konqueror crashes with the already posted backtrace.
Comment 2 Frank Reininghaus 2008-09-01 23:39:00 UTC
Created attachment 27181 [details]
Reduced testcase

This reduced test case still crashes 4.1, 3.5.10, and trunk rev. 855891 for me when you move the mouse over the link and back. Note that the odd structure of 3 nested <div>'s with the "float:left" CSS attribute is needed to get a crash.
Comment 3 Oliver Putz 2008-11-28 13:36:09 UTC
Testcase still crashes in KDE-4.1.80
Comment 4 Oliver Putz 2009-06-30 20:13:53 UTC
Testcase still crashes in KDE-4.2.4
Comment 5 Tommi Tervo 2009-08-06 19:01:01 UTC
*** Bug 202832 has been marked as a duplicate of this bug. ***
Comment 6 Tommi Tervo 2009-08-06 19:12:19 UTC
svn r1006846 (without arena_allocator)

==15618== Invalid read of size 4
==15618==    at 0xB02A9CD:
khtml::RenderBlock::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int, int,
int, HitTestAction, bool) (render_block.cpp:2757)
==15618==    by 0xB073A18:
khtml::RenderLayer::nodeAtPointForLayer(khtml::RenderLayer*,
khtml::RenderObject::NodeInfo&, int, int, QRect const&) (render_layer.cpp:1227)
==15618==    by 0xB073882:
khtml::RenderLayer::nodeAtPointForLayer(khtml::RenderLayer*,
khtml::RenderObject::NodeInfo&, int, int, QRect const&) (render_layer.cpp:1209)
==15618==    by 0xB074185:
khtml::RenderLayer::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int)
(render_layer.cpp:1170)
==15618==    by 0xAF92A35: DOM::MouseEventImpl::computeLayerPos()
(dom2_eventsimpl.cpp:299)
==15618==    by 0xAF96F2B:
DOM::MouseEventImpl::MouseEventImpl(DOM::EventImpl::EventId, bool, bool,
DOM::AbstractViewImpl*, long, long, long, long, long, long, long, bool, bool,
bool, bool, unsigned short, DOM::NodeImpl*, QMouseEvent*, bool,
DOM::MouseEventImpl::Orientation) (dom2_eventsimpl.cpp:279)
==15618==    by 0xAE9F0C3: KHTMLView::dispatchMouseEvent(int, DOM::NodeImpl*,
DOM::NodeImpl*, bool, int, QMouseEvent*, bool, int, int) (khtmlview.cpp:3654)
==15618==    by 0xAEAA576: KHTMLView::mouseMoveEvent(QMouseEvent*)
(khtmlview.cpp:1351)
==15618==    by 0x501E30C: QWidget::event(QEvent*) (in
/usr/lib/libQtGui.so.4.5.3)
==15618==    by 0x53AFAD2: QFrame::event(QEvent*) (in
/usr/lib/libQtGui.so.4.5.3)
==15618==    by 0xAEA83C0: KHTMLView::widgetEvent(QEvent*) (khtmlview.cpp:2325)
==15618==    by 0xAEAE659: KHTMLView::eventFilter(QObject*, QEvent*)
(khtmlview.cpp:2189)
==15618==    by 0x4D98899:
QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*) (in
/usr/lib/libQtCore.so.4.5.3)
Comment 7 Tommi Tervo 2009-08-06 19:21:37 UTC
=15618== Invalid read of size 4
==15618==    at 0xB02A9CD: khtml::RenderBlock::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int, int, int, HitTestAction, bool) (render_block.cpp:2757)
==15618==    by 0xB073A18: khtml::RenderLayer::nodeAtPointForLayer(khtml::RenderLayer*, khtml::RenderObject::NodeInfo&, int, int, QRect const&) (render_layer.cpp:1227)
==15618==    by 0xB073882: khtml::RenderLayer::nodeAtPointForLayer(khtml::RenderLayer*, khtml::RenderObject::NodeInfo&, int, int, QRect const&) (render_layer.cpp:1209)
==15618==    by 0xB074185: khtml::RenderLayer::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int) (render_layer.cpp:1170)
==15618==    by 0xAF92A35: DOM::MouseEventImpl::computeLayerPos() (dom2_eventsimpl.cpp:299)
==15618==    by 0xAF96F2B: DOM::MouseEventImpl::MouseEventImpl(DOM::EventImpl::EventId, bool, bool, DOM::AbstractViewImpl*, long, long, long, long, long, long, long, bool, bool, bool, bool, unsigned short, DOM::NodeImpl*, QMouseEvent*, bool, DOM::MouseEventImpl::Orientation) (dom2_eventsimpl.cpp:279)
==15618==    by 0xAE9F0C3: KHTMLView::dispatchMouseEvent(int, DOM::NodeImpl*, DOM::NodeImpl*, bool, int, QMouseEvent*, bool, int, int) (khtmlview.cpp:3654)
==15618==    by 0xAEAA576: KHTMLView::mouseMoveEvent(QMouseEvent*) (khtmlview.cpp:1351)
==15618==    by 0x501E30C: QWidget::event(QEvent*) (in /usr/lib/libQtGui.so.4.5.3)
==15618==    by 0x53AFAD2: QFrame::event(QEvent*) (in /usr/lib/libQtGui.so.4.5.3)
==15618==    by 0xAEA83C0: KHTMLView::widgetEvent(QEvent*) (khtmlview.cpp:2325)
==15618==    by 0xAEAE659: KHTMLView::eventFilter(QObject*, QEvent*) (khtmlview.cpp:2189)
==15618==    by 0x4D98899: QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*) (in /usr/lib/libQtCore.so.4.5.3)
==15618==    by 0x4FC7689: QApplicationPrivate::notify_helper(QObject*, QEvent*) (in /usr/lib/libQtGui.so.4.5.3)
==15618==    by 0x4FD0340: QApplication::notify(QObject*, QEvent*) (in /usr/lib/libQtGui.so.4.5.3)
==15618==    by 0x479A964: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:302)
==15618==    by 0x4D9968A: QCoreApplication::notifyInternal(QObject*, QEvent*) (in /usr/lib/libQtCore.so.4.5.3)
==15618==    by 0x4FCF3AD: QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&) (in /usr/lib/libQtGui.so.4.5.3)
==15618==    by 0x503F805: (within /usr/lib/libQtGui.so.4.5.3)
==15618==    by 0x503EBDC: QApplication::x11ProcessEvent(_XEvent*) (in /usr/lib/libQtGui.so.4.5.3)
==15618==    by 0x50686EB: (within /usr/lib/libQtGui.so.4.5.3)
==15618==    by 0x5DB92F8: g_main_context_dispatch (in /usr/lib/libglib-2.0.so.0.1600.3)
==15618==    by 0x5DBC87A: (within /usr/lib/libglib-2.0.so.0.1600.3)
==15618==    by 0x5DBC9F7: g_main_context_iteration (in /usr/lib/libglib-2.0.so.0.1600.3)
==15618==    by 0x4DC4FC7: QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib/libQtCore.so.4.5.3)
==15618==    by 0x5067DB4: (within /usr/lib/libQtGui.so.4.5.3)
==15618==    by 0x4D97CC9: QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib/libQtCore.so.4.5.3)
==15618==    by 0x4D98111: QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) (in /usr/lib/libQtCore.so.4.5.3)
==15618==    by 0x4D9A598: QCoreApplication::exec() (in /usr/lib/libQtCore.so.4.5.3)
==15618==    by 0x4FC7526: QApplication::exec() (in /usr/lib/libQtGui.so.4.5.3)
==15618==    by 0x40F3282: kdemain (konqmain.cpp:257)
==15618==    by 0x8048745: main (konqueror_dummy.cpp:3)
==15618==  Address 0xa4b11d8 is 8 bytes inside a block of size 140 free'd
==15618==    at 0x4023B7A: free (in /usr/lib/valgrind/x86-linux/vgpreload_memcheck.so)
==15618==    by 0xB07056D: khtml::RenderArena::free(unsigned, void*) (render_arena.cpp:122)
==15618==    by 0xB049521: khtml::RenderObject::arenaDelete(khtml::RenderArena*, void*) (render_object.cpp:2387)
==15618==    by 0xB0495FC: khtml::RenderObject::detach() (render_object.cpp:2372)
==15618==    by 0xB0655CE: khtml::RenderBox::detach() (render_box.cpp:224)
==15618==    by 0xB0685CF: khtml::RenderFlow::detach() (render_flow.cpp:362)
==15618==    by 0xAF61FAD: DOM::NodeImpl::detach() (dom_nodeimpl.cpp:975)
==15618==    by 0xAF6202B: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1838)
==15618==    by 0xAF733AF: DOM::ElementImpl::detach() (dom_elementimpl.cpp:884)
==15618==    by 0xAF72F80: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:958)
==15618==    by 0xAFCF741: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:242)
==15618==    by 0xAF730C0: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:989)
==15618==    by 0xAFCF741: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:242)
==15618==    by 0xAF730C0: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:989)
==15618==    by 0xAFCF741: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:242)
==15618==    by 0xAF730C0: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:989)
==15618==    by 0xAFCF741: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:242)
==15618==    by 0xAF730C0: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:989)
==15618==    by 0xAFCF741: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:242)
==15618==    by 0xAF730C0: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:989)
==15618==    by 0xAFCF741: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:242)
==15618==    by 0xAF4BB99: DOM::DocumentImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_docimpl.cpp:1436)
==15618==    by 0xAF43FEA: DOM::DocumentImpl::updateRendering() (dom_docimpl.cpp:1465)
==15618==    by 0xAF4B6B9: DOM::DocumentImpl::updateDocumentsRendering() (dom_docimpl.cpp:1478)
==15618==    by 0xB1CFDC4: KJS::Window::afterScriptExecution() (kjs_window.cpp:1269)
==15618==    by 0xB20385D: KJS::JSEventListener::handleEvent(DOM::Event&) (kjs_events.cpp:119)
==15618==    by 0xB2038DF: KJS::JSLazyEventListener::handleEvent(DOM::Event&) (kjs_events.cpp:159)
==15618==    by 0xAF66B66: DOM::NodeImpl::handleLocalEvents(DOM::EventImpl*, bool) (dom_nodeimpl.cpp:718)
==15618==    by 0xAF68C3D: DOM::NodeImpl::dispatchGenericEvent(DOM::EventImpl*, int&) (dom_nodeimpl.cpp:501)
==15618==    by 0xAF66D2A: DOM::NodeImpl::dispatchEvent(DOM::EventImpl*, int&, bool) (dom_nodeimpl.cpp:453)
==15618==    by 0xAE9EF52: KHTMLView::dispatchMouseEvent(int, DOM::NodeImpl*, DOM::NodeImpl*, bool, int, QMouseEvent*, bool, int, int) (khtmlview.cpp:3645)
==15618==    by 0xAEAA576: KHTMLView::mouseMoveEvent(QMouseEvent*) (khtmlview.cpp:1351)
==15618==    by 0x501E30C: QWidget::event(QEvent*) (in /usr/lib/libQtGui.so.4.5.3)
==15618==    by 0x53AFAD2: QFrame::event(QEvent*) (in /usr/lib/libQtGui.so.4.5.3)
==15618==    by 0xAEA83C0: KHTMLView::widgetEvent(QEvent*) (khtmlview.cpp:2325)
==15618==    by 0xAEAE659: KHTMLView::eventFilter(QObject*, QEvent*) (khtmlview.cpp:2189)
==15618==    by 0x4D98899: QCoreApplicationPrivate::sendThroughObjectEventFilters(QObject*, QEvent*) (in /usr/lib/libQtCore.so.4.5.3)
==15618==    by 0x4FC7689: QApplicationPrivate::notify_helper(QObject*, QEvent*) (in /usr/lib/libQtGui.so.4.5.3)
==15618==    by 0x4FD0340: QApplication::notify(QObject*, QEvent*) (in /usr/lib/libQtGui.so.4.5.3)
==15618==    by 0x479A964: KApplication::notify(QObject*, QEvent*) (kapplication.cpp:302)
==15618==    by 0x4D9968A: QCoreApplication::notifyInternal(QObject*, QEvent*) (in /usr/lib/libQtCore.so.4.5.3)
==15618==    by 0x4FCF3AD: QApplicationPrivate::sendMouseEvent(QWidget*, QMouseEvent*, QWidget*, QWidget*, QWidget**, QPointer<QWidget>&) (in /usr/lib/libQtGui.so.4.5.3)
==15618==
Comment 8 FiNeX 2010-08-15 16:40:03 UTC
Crash confirmed in KDE 4.4.4, 4.4.5 and KDE 4.5.0
Comment 9 Maksim Orlovich 2010-08-15 18:08:26 UTC
Updated line numbers:
==2962== Invalid read of size 4
==2962==    at 0xCB7AA3E: khtml::RenderBlock::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int, int, int, HitTestAction, bool) (render_block.cpp:2790)
==2962==    by 0xCBB9CC1: khtml::RenderLayer::nodeAtPointForLayer(khtml::RenderLayer*, khtml::RenderObject::NodeInfo&, int, int, QRect const&) (render_layer.cpp:1232)
==2962==    by 0xCBB9B80: khtml::RenderLayer::nodeAtPointForLayer(khtml::RenderLayer*, khtml::RenderObject::NodeInfo&, int, int, QRect const&) (render_layer.cpp:1214)
==2962==    by 0xCBBA323: khtml::RenderLayer::nodeAtPoint(khtml::RenderObject::NodeInfo&, int, int) (render_layer.cpp:1175)
==2962==    by 0xCAF85A4: DOM::MouseEventImpl::computeLayerPos() (dom2_eventsimpl.cpp:523)
==2962==    by 0xCAFB226: DOM::MouseEventImpl::MouseEventImpl(DOM::EventImpl::EventId, bool, bool, DOM::AbstractViewImpl*, long, long, long, long, long, long, long, bool, bool, bool, bool, unsigned short, DOM::NodeImpl*, QMouseEvent*, bool, DOM::MouseEventImpl::Orientation) (dom2_eventsimpl.cpp:503)
==2962==    by 0xCA17330: KHTMLView::dispatchMouseEvent(int, DOM::NodeImpl*, DOM::NodeImpl*, bool, int, QMouseEvent*, bool, int, int) (khtmlview.cpp:3699)
==2962==    by 0xCA205D8: KHTMLView::mouseMoveEvent(QMouseEvent*) (khtmlview.cpp:1363)
==2962==    by 0x59A7F96: QWidget::event(QEvent*) (qwidget.cpp:8029)
==2962==    by 0x5DD8F89: QFrame::event(QEvent*) (qframe.cpp:557)
==2962==    by 0xCA1E9BB: KHTMLView::widgetEvent(QEvent*) (khtmlview.cpp:2363)
==2962==  Address 0x7952b30 is 8 bytes inside a block of size 140 free'd
==2962==    at 0x4023996: free (vg_replace_malloc.c:325)
==2962==    by 0xCBB6E45: khtml::RenderArena::free(unsigned int, void*) (render_arena.cpp:122)
==2962==    by 0xCB951A2: khtml::RenderObject::arenaDelete(khtml::RenderArena*, void*) (render_object.cpp:2399)
==2962==    by 0xCB95267: khtml::RenderObject::detach() (render_object.cpp:2384)
==2962==    by 0xCBAD50A: khtml::RenderBox::detach() (render_box.cpp:223)
==2962==    by 0xCBAFE8A: khtml::RenderFlow::detach() (render_flow.cpp:361)
==2962==    by 0xCACDEAB: DOM::NodeImpl::detach() (dom_nodeimpl.cpp:901)
==2962==    by 0xCACDF2F: DOM::NodeBaseImpl::detach() (dom_nodeimpl.cpp:1891)
==2962==    by 0xCADC7E1: DOM::ElementImpl::detach() (dom_elementimpl.cpp:913)
==2962==    by 0xCADC45D: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:987)
==2962==    by 0xCB2DCB8: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:235)
==2962==    by 0xCADC54E: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:1018)
==2962==    by 0xCB2DCB8: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:235)
==2962==    by 0xCADC54E: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:1018)
==2962==    by 0xCB2DCB8: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:235)
==2962==    by 0xCADC54E: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:1018)
==2962==    by 0xCB2DCB8: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:235)
==2962==    by 0xCADC54E: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:1018)
==2962==    by 0xCB2DCB8: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:235)
==2962==    by 0xCADC54E: DOM::ElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_elementimpl.cpp:1018)
==2962==    by 0xCB2DCB8: DOM::HTMLElementImpl::recalcStyle(DOM::NodeImpl::StyleChange) (html_elementimpl.cpp:235)
==2962==    by 0xCABBF76: DOM::DocumentImpl::recalcStyle(DOM::NodeImpl::StyleChange) (dom_docimpl.cpp:1439)
==2962==    by 0xCAB5388: DOM::DocumentImpl::updateRendering() (dom_docimpl.cpp:1468)
==2962==    by 0xCABBB54: DOM::DocumentImpl::updateDocumentsRendering() (dom_docimpl.cpp:1481)
==2962==    by 0xCCE566B: KJS::Window::afterScriptExecution() (kjs_window.cpp:1282)
==2962==    by 0xCD121E5: KJS::JSEventListener::handleEvent(DOM::Event&) (kjs_events.cpp:119)
==2962==    by 0xCD122AF: KJS::JSLazyEventListener::handleEvent(DOM::Event&) (kjs_events.cpp:159)
==2962==    by 0xCAFC466: DOM::EventTargetImpl::handleLocalEvents(DOM::EventImpl*, bool) (dom2_eventsimpl.cpp:61)
==2962==    by 0xCAD26BC: DOM::NodeImpl::dispatchGenericEvent(DOM::EventImpl*, int&) (dom_nodeimpl.cpp:469)
==2962==    by 0xCAD0EEA: DOM::NodeImpl::dispatchEvent(DOM::EventImpl*, int&, bool) (dom_nodeimpl.cpp:401)
==2962==    by 0xCA17228: KHTMLView::dispatchMouseEvent(int, DOM::NodeImpl*, DOM::NodeImpl*, bool, int, QMouseEvent*, bool, int, int) (khtmlview.cpp:3690)
==2962==    by 0xCA205D8: KHTMLView::mouseMoveEvent(QMouseEvent*) (khtmlview.cpp:1363)
Comment 10 Maksim Orlovich 2010-08-15 18:27:02 UTC
OK... So we have a dangling pointer on the float list; but what I am confused about is how the list is supposed to be kept up-to-date; it only seems to be done by layout(BlockChildren), but I don't see how that would be forced..
Comment 11 Maksim Orlovich 2010-08-15 19:55:37 UTC
SVN commit 1164054 by orlovich:

Go ahead and be far more strict about keeping the special child object lists up-to-date.

BUG: 170165


 M  +9 -0      render_object.cpp  
 M  +1 -1      render_object.h  


WebSVN link: http://websvn.kde.org/?view=rev&revision=1164054
Comment 12 Maksim Orlovich 2010-08-15 19:56:17 UTC
SVN commit 1164055 by orlovich:

Merged revision:r1164054 | orlovich | 2010-08-15 13:58:58 -0400 (Sun, 15 Aug 2010) | 4 lines

Go ahead and be far more strict about keeping the special child object lists up-to-date.

BUG: 170165

 M  +9 -0      render_object.cpp  
 M  +1 -1      render_object.h  


WebSVN link: http://websvn.kde.org/?view=rev&revision=1164055